51 percent Ethereum Classic hacker returns $100,000 in stolen cryptocurrency

An exchange has mulled over the possibility of the hacker being white-hat, but $1 million is still unaccounted for.

 

The cyberattacker believed to be responsible for a 51 percent on the Ethereum Classic (ETC) blockchain has returned $100,000 in stolen proceeds, while keeping roughly $1 million.

According to Gate.io, the funds were returned last week but it is not known why the cryptocurrency has been returned, or for what purpose — and efforts to contact the hacker have proved fruitless so far.  

“We still don’t know the reason,” the cryptocurrency exchange said. “If the attacker didn’t run it for profit, he might be a white hacker who wanted to remind people the risks in blockchain consensus and hashing power security.”

This is a possibility, but even so, the potential ‘white hat’ has still kept a fortune in cryptocurrency for themselves following the attack.

The ETC blockchain was the victim of what is known as a 51 percent attack starting on 5 January, leading to the theft of $1.1 million in the Ethereum Classic cryptocurrency. 

51 percent attacks force a blockchain to reorganize and permit attackers to seize control over transactional power of a network. In this case, it is believed over 100 blocks were reorganized.

If they manage to wrestle control of over 50 percent of the network, they are given leave to modify and execute transactions, as well as reverse transactions after they have been confirmed. This is known as “double spending.”

Theoretically, 51 percent attacks could take place on any kind of blockchain, but it does take access to a vast amount of computing power to execute these types of attacks.

Coinbase identified a total of 15 attacks, 12 of which included double spending in order to steal 219, 500 ETC. In an analysis of the attack, SlowMist researchers documented transactions involving thousands of coins at a time taking place.

“We believe that due to the recent decline in blockchain funding, the net mining power of the whole network has declined,” the researchers said. “You have really felt the impact of the 51 percent on ETC, and it is foreseeable that the attack will increase rapidly with the cost of attack reduced.”

Some of the funds have been returned but this does not mean that the blockchain is safe from potential attacks by the same hacker in the future, or copycats who also possess the means to conduct 51 percent attacks.

Gate.io says that the hashing power of the ETC network is still not strong enough to fend off these types of attack and that the possibility exists of enough hashing power being rented out to hit the blockchain again.

“Gate.io has raised the ETC confirmation number to 4000 and launched a strict 51 percent detect for enhanced protection,” the platform added. “We also suggest other ETC exchanges take actions to protect the trader from blockchain rollback/reorg.”

SlowMist recommends that exchanges and pool operators increase their block confirmation times as a matter of urgency to mitigate the risk of 51 percent attacks. Both Gate.io and Bitfly have done so; however, if enough computing power is in play to permit over 50 percent of the network to be in an attacker’s control, block confirmation extensions may not be enough.


Source
Author: Charlie Osborne
Image Credit

This College Freshman Is Out to 51% Attack Your Cryptocurrency

A college freshman is coming after your cryptocurrency – but not to steal your coins, just to prove that someone could do so pretty easily.

According to a crypto enthusiast and security researcher going by the handle “geocold51,” most small-scale cryptocurrencies are at risk from the industry’s most feared vulnerability – the 51% attack. During this attack, a miner takes over more than half of a cryptocurrency’s mining power, which then allows them to erase a past transaction and replace it with another transaction – called a double spend.

While the ecosystem that’s been built up around bitcoin and other top-tier cryptos make them resistant to these kinds of attacks, other cryptocurrencies with less of a community of miners aren’t as secure.

Sure enough, on smaller coins, these kinds of attacks are getting more common. In a new report, Group-1B found $20 million worth of crypto theft accomplished with such attacks in 2018, as TNW reported.

On Saturday, October 13, geocold51 decided to display just how easy it was – livestreaming his attempt to 51% attack Bitcoin Private, a crypto with close to a $47 million market cap (at the time of writing).

Speaking to CoinDesk, geocold51 said, if a cryptocurrency can be so easily attacked, “it’s sort of a misvalue of a given currency by different investors.”

Geocold51 estimates he spent $100 to get to the point where he could have done a demonstration double spend on bitcoin private, but he stopped because his livestream got pulled.

Just to be clear, geocold51 wasn’t interested in stealing, and so he set up the demonstration where he’d send the bitcoin private he owned to two different wallets he owned. In that way, no user or exchange provider gets ripped off.

For him, it’s about displaying that many coins are vulnerable and, therefore, perhaps vastly over-valued.

That said, he estimates that to make a profit off a 51% attack, it would cost a malicious attacker roughly double – so around $200 – to buy some bitcoin on an exchange with his bitcoin private and then make another transaction on the longer chain that invalidates the first transaction, giving him his bitcoin private coins back and leaving the exchange coming up short.

While going through the exchange process costs more, the 51% attack has still become quite economical due to the rise of cloud computing. According to geocold51, without access to cloud mining, an attack like he did on bitcoin private would have cost him about $100,000 in hardware.

“Nicehash and the ability to rent hashing power fundamentally changes the landscape of 51% attacks,” geocold51 told CoinDesk, adding:

“If there’s not a lot of hashing power to secure it, but there is a lot of value associated with it, that’s where you can do a 51% attack.”

Because geocold51 announced the livestream on Reddit, the attempted attack got quite a bit of attention – even dogecoin creator Jackson Palmer tweeted about watching.

Still, the livestream didn’t work exactly as planned, and because of that, geocold51 said he would run a complete attack later. He told CoinDesk he will do it without a stream this week and release a recording of his demonstration on YouTube shortly after.

The inspiration

The young security researcher’s handle might remind some of another security guru.

According to geocold51, he was inspired by one of the most legendary hackers of recent years: geohot, who famously jailbroke the original iPhone, which means the restrictions on carriers and apps were removed.

These days, geohot likes to livestream himself searching for vulnerabilities.

And geocold51 figured he could start doing the same within the cryptocurrency ecosystem.

Geocold51 has a good knowledge of crypto. Back when GPU hardware was still lucrative for hobbyist miners, geocold51 mined quite a bit of bitcoin. He then began trading money on Cryptsy, before the exchange’s CEO allegedly walked away with millions of dollars in its user’s money.

In that, he lost nearly all his bitcoin.

But he still remained interested in the space, and continued to study up on how it all worked. And as the industry divided into hundreds and thousands of different cryptocurrencies, geocold51 thought he might be able to shine some light on the security pitfalls.

And others were interested in that too. His Reddit post about the challenge garnered 1500 upvotes and over Twitch, he received $888 in donations.

The day of the attack

What’s also interesting is that bitcoin private wasn’t his first target.

Instead, geocold51 had intended to go after einsteinium, a volunteer-run litecoin fork with a $19 million market cap and $598,000 in trading volume per day, at the time of this writing.

He announced his intent publicly, and as he got ready for the attack, commenters within his Twitch feed noted that the cryptocurrency’s hash rate was spiking.

Because he had announced the attack in advance, the einsteinium community boosted the hash rate because it was worried that such an attack could cause a chain split and create a second blockchain that people could get stuck on, according to Ben Kurland, one of the project’s board members. At that time, einsteinium was in the middle of a wallet upgrade. If users or exchanges did not upgrade their wallets in time, the blockchain split could have caused property loss.

Seeing the increased hash power, geocold51 decided to attack bitcoin private instead.

According to geocold51, he got up to 60,000 views during the Twitch livestream, before Twitch shut the stream down. The team at Twitch, he said, temporarily suspended him under the “attempts of threats of harm” section of its community guidelines.

He got another livestream up on Stream.Me a half-hour later.

Once broadcasting there, he was able to hire miners through Nicehash to mine bitcoin private. In fact, he almost immediately mined a block. And in very little time, he was controlling more than 50 percent of the hash power on the blockchain.

Pretty soon an account called “CommunityWatch” popped up in the stream and wrote: “Just a quick question: I’m assuming everything we are doing here is legal?”

Minutes later, geocold51’s video feed on Stream.Me cut out.

Geocold51 told CoinDesk that he had already gotten about two-thirds of the hash rate on bitcoin private. He’d transmitted his first transaction to a second wallet he controlled. And he had written another transaction onto an offline chain that went to a third wallet he controlled.

He was about to send this longer chain to the network, but since the whole point was to show people the attack could be done easily, he stopped once the livestreams shut off.

Protected in another way

Still, geocold51 is determined to follow through with his mission, and so will record his next attack to share on YouTube soon.

And while this vulnerability is likely to be worrying to many in the community, geocold51 noted that there is another way these coins are protected based on cryptocurrency game theory.

If someone tried to sell any significant volume of the coins, their price would likely plummet, since the community isn’t robust enough and doesn’t have huge amounts of liquidity. As such, geocold51 argued, even if it is easy to buy hash power and take over a network, it might not be feasible to make a lot of money from an attack.

Nevertheless, geocold51 is committed to continuing, using the donations he received to maybe even try to 51% attack more cryptocurrencies as well.

In fact, he told CoinDesk, he may intentionally attack some cryptocurrencies that have set up preventative measures for 51% attacks, to test them in production. For instance, the team developing Horizen (formerly zencash) believes it’s found a way to disincentivize 51% attacks by introducing certain miner penalties.

Geocold51 said he would be happy to fail against some of these measures.

Running the demonstrations privately and adding some production value on the final recording will likely make for more edifying content, according to geocold51, but he’s still a bit disappointed that his original plan didn’t pan out.

To CoinDesk, he concluded:

“There is something kind of neat about it being live.”

Twitch, Stream.Me and bitcoin private’s teams did not reply to a request for comment for this story.


Source
Author: Brady Dale
Image Credit 

Debunked: How Nouriel Roubini Failed to Attack Crypto with Cherrypicked Data

Recognized economist Nouriel Roubini, a professor at Stern School and NYU, recently launched a series of attacks against the crypto sector.

All of the False Claims Roubini Made

He claimed Bitcoin is a Ponzi scheme, Ethereum co-creator Vitalik Buterin amassed a wealth of a billion dollars by creating a pre-mined blockchain network, and said public blockchain protocols are unusable due to $60 fees — all of which are completely false.

Buterin disclosed that he had never held more than 0.9 percent of Ethereum’s total supply and had nowhere close to a billion dollars. Bitcoin fee is estimated to be around $0.1 according to Blockchain, not $60.

First claim: Bitcoin transaction fee is $60

Absurdly, Roubini decided to utilize a narrative that Bitcoin’s transaction fee is $60 and to pay for products of less value such as a cup of coffee, it costs upwards of $63.

For instance, Roubini stated that to purchase a Starbucks latte, which costs $2.9, one would have to pay $63 to buy with BTC.

Source: Bitinfocharts

However, the transaction fee of BTC is publicly available and verifiable data, which can be easily refuted. Hence, as Blocktower co-founder Ari Paul said, it remains unclear why Roubini led his criticism against crypto with a piece of information that can be refuted by anyone with ease.

“BTC fees are less than $0.10, easily verifiable. If you value truth, you’d provide a public correction. If your goal is to mislead people with simply false statements, carry on. There’s nothing to research. Fees are publicly viewable from many sources (googling it works.) I find it better not to provide a specific source because then regardless of source, the source gets attacked,” Paul said.

More importantly, an investor of BTC recently moved 29,999 BTC worth $194 million on the Bitcoin blockchain with a fee of $0.1. With legacy systems, it costs over a hundred thousand dollars to move an amount that is larger than $10 million.

Second claim: Crypto is printed out of nowhere

Bitcoin, Ethereum, and many public blockchain protocols utilize a consensus algorithm called Proof of Work (PoW), which requires miners to verify transactions and generate cryptocurrencies with a large amount of energy and hardware costs.

Currently, at the price of $6,500, BTC mining is nearly at a breakeven level, which means miners are generating BTC without any profit by foreseeing an increase in the value of the BTC in the long-term.

Hence, the claim that crypto can be printed out of nowhere is false as miners need to cover significant expenses required to maintain a blockchain network.

Third claim: Buterin stole 75% of Ethereum’s supply

Earlier this month, Roubini claimed Joseph Lubin and Vitalik Buterin, the two co-creators of Ethereum, stole 75 percent of the supply of ETH, the native cryptocurrency of the Ethereum protocol.

“Vitalik Buterin was the ringleader – together with Joe Lubin – of the criminal pre-mining sale/scam that created Ether. They stole 75% of the Ether supply and became instant ‘millionaires’ of fake wealth.”

In response, Buterin reaffirmed that he had never held more than 0.9 percent of Ethereum’s supply, instantaneously refuting the claim of Roubini. The third claim was also easy to disprove because through blockchain explorers, anyone on the network can publicly and transparently verify wallets and transactions.

“I never personally held more than 0.9% of all ETH, and my net worth never came close to $1 billion. Also, I’m pretty sure there are no criminal laws against pre-mining,” said Buterin.

Why did Roubini do this?

It remains unclear why Roubini, who is respected in his field of economics and finance, decided to attack an industry with a series of arguments and claims that can be disproved with sufficient evidence and data that is available to the public.


Source
Author:
Image Credit